Regression(r223431): Crash under didReceiveChallenge in NetworkSessio…

…nCocoa https://bugs.webkit.org/show_bug.cgi?id=183134 <rdar://problem/36339049> Reviewed by Alex Christensen. Like other delegates functions in this file, it is possible for didReceiveChallenge to get called after _session has been nulled out. Other delegate functions already had early returns when _session is null. However, such early return was missing in didReceiveChallenge. This patch ends the early return to didReceiveChallenge so that we do not end up calling _session->downloadID(taskIdentifier) on a null _session. * NetworkProcess/cocoa/NetworkSessionCocoa.mm: (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]): Canonical link: https://commits.webkit.org/198851@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229031 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Feb 26, 2018 · de3300981308cdafbc36bd0480c3635166bf1334 · de33009
1 parent aee0343
commit de3300981308cdafbc36bd0480c3635166bf1334
Showing with 24 additions and 1 deletion.

+18 −0 Source/WebKit/ChangeLog

+6 −1 Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,21 @@
+2018-02-26  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r223431): Crash under didReceiveChallenge in NetworkSessionCocoa
+        https://bugs.webkit.org/show_bug.cgi?id=183134
+        <rdar://problem/36339049>
+
+        Reviewed by Alex Christensen.
+
+        Like other delegates functions in this file, it is possible for didReceiveChallenge to get called
+        after _session has been nulled out. Other delegate functions already had early returns when
+        _session is null. However, such early return was missing in didReceiveChallenge.
+
+        This patch ends the early return to didReceiveChallenge so that we do not end up calling
+        _session->downloadID(taskIdentifier) on a null _session.
+
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):
+
 2018-02-26  Youenn Fablet  <youenn@apple.com>
 
         MessagePort is not always destroyed in the right thread

diff --git a/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm b/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
@@ -289,6 +289,11 @@ - (void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)data
 
 - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
 {
+    if (!_session) {
+        completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
+        return;
+    }
+
     auto taskIdentifier = task.taskIdentifier;
     LOG(NetworkSession, "%llu didReceiveChallenge", taskIdentifier);
 
@@ -342,7 +347,7 @@ - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didRece
         };
         networkDataTask->didReceiveChallenge(challenge, WTFMove(challengeCompletionHandler));
     } else {
-        auto downloadID = _session->downloadID(task.taskIdentifier);
+        auto downloadID = _session->downloadID(taskIdentifier);
         if (downloadID.downloadID()) {
             if (auto* download = WebKit::NetworkProcess::singleton().downloadManager().download(downloadID)) {
                 // Received an authentication challenge for a download being resumed.